How to diagnose CERTIFICATE_VERIFY_FAILED on Windows for websites working in browsers?
Hi Python enthusiasts, I'm working on youtube-dl, a handy tool for downloading videos from various websites. There are occasional bug reports with SSL error CERTIFICATE_VERIFY_FAILED when people are trying to download videos from youtube.com [1] or dailymotion.com [2]. The issue about youtube.com turned out to be expired intermediate CA certificates. Some users report that there's one or more expired "Google Internet Authority G2" certificate on their machines. Apparently OpenSSL verifies the whole certificate chain and report an error as soon as it finds an invalid certificate in the chain. My questions is: how to tell from several possible causes to CERTIFICATE_VERIFY_FAILED? Currently both expired self signed certificate leads to CERTIFICATE_VERIFY_FAILED. Thanks for any help or advice. Best, Yen Chi Hsuan [1] https://github.com/rg3/youtube-dl/issues/7309 [2] https://github.com/rg3/youtube-dl/issues/10574 -- https://mail.python.org/mailman/listinfo/python-list
Re: How to diagnose CERTIFICATE_VERIFY_FAILED on Windows for websites working in browsers?
On Fri, Sep 9, 2016 at 2:22 PM, dieter wrote: > Chi Hsuan Yen writes: > > ... > > Apparently OpenSSL verifies the whole certificate chain and > > report an error as soon as it finds an invalid certificate in the chain. > > As it must, if you require verification. > > When I remember right, you can disable the verification altogether > (though you should not for security reasons). > > Yeah we have a CLI option for that, and fortunately (or unfortunately?) it works fine. > My > > questions is: how to tell from several possible causes to > > CERTIFICATE_VERIFY_FAILED? Currently both expired self signed certificate > > leads to CERTIFICATE_VERIFY_FAILED. Thanks for any help or advice. > > I would try to find (or write) a utility that follows the certificate > chain and provides details information about its state. > > Thanks a lot! I just lost my direction when trying to understand how certificate verification works in Python. > -- > https://mail.python.org/mailman/listinfo/python-list > -- https://mail.python.org/mailman/listinfo/python-list
Re: How to diagnose CERTIFICATE_VERIFY_FAILED on Windows for websites working in browsers?
On Fri, Sep 9, 2016 at 2:54 PM, dieter wrote: > Chi Hsuan Yen writes: > > ... > > Thanks a lot! I just lost my direction when trying to understand how > > certificate verification works in Python. > > It sets things up for "OpenSSL" and then delegates all details > to it. > > Thanks, sounds a great start point. I'll look into OpenSSL. > -- > https://mail.python.org/mailman/listinfo/python-list > -- https://mail.python.org/mailman/listinfo/python-list
Re: How to diagnose CERTIFICATE_VERIFY_FAILED on Windows for websites working in browsers?
On Fri, Sep 9, 2016 at 4:18 PM, Chi Hsuan Yen wrote: > > > On Fri, Sep 9, 2016 at 2:54 PM, dieter wrote: > >> Chi Hsuan Yen writes: >> > ... >> > Thanks a lot! I just lost my direction when trying to understand how >> > certificate verification works in Python. >> >> It sets things up for "OpenSSL" and then delegates all details >> to it. >> >> > Thanks, sounds a great start point. I'll look into OpenSSL. > > >> -- >> https://mail.python.org/mailman/listinfo/python-list >> > > I found that OpenSSL provides an X509 callback hook that allows clients to know why the verification process fails. Seems CPython does not use it yet. I hope it can be added to CPython. Where should I go next, python-dev, python-ideas or bugs.python.org? Thanks. -- https://mail.python.org/mailman/listinfo/python-list
Re: How to diagnose CERTIFICATE_VERIFY_FAILED on Windows for websites working in browsers?
On Fri, Sep 9, 2016 at 5:52 PM, Chris Angelico wrote: > On Fri, Sep 9, 2016 at 7:47 PM, Chi Hsuan Yen wrote: > > I found that OpenSSL provides an X509 callback hook that allows clients > to > > know why the verification process fails. Seems CPython does not use it > yet. > > I hope it can be added to CPython. Where should I go next, python-dev, > > python-ideas or bugs.python.org? Thanks. > > Are you wanting a way to provide a custom callback from your > application, or have this as a standard feature that enhances the > error return? > > Either way, I would go to python-ideas with details about what you're > hoping for. It sounds like it's not going to be overly complex, so it > might end up just going straight to the tracker, but I'd start with > -ideas. > > ChrisA > -- > https://mail.python.org/mailman/listinfo/python-list > Thanks. I'll try to organize what I want and post to python-ideas. Best, Yen Chi Hsuan -- https://mail.python.org/mailman/listinfo/python-list
